| From fafe4c212bf6c32c3021d7b69bcc0cf219e71608 Mon Sep 17 00:00:00 2001 |
| From: Dan Cashman <dcashman@android.com> |
| Date: Tue, 29 Aug 2017 09:32:05 -0700 |
| Subject: [PATCH 2/4] libsepol: cil: Add ability to redeclare types[attributes] |
| |
| Modify cil_gen_node() to check to see if the cil_db supports multiple |
| declarations, and if so, to check whether or not the |
| repeated symbol is eligible to share the existing, already-stored datum. The |
| only types considered so far are CIL_TYPE and CIL_TYPEATTRIBUTE, both of |
| which intall empty datums during AST building, so they automatically return |
| true. |
| |
| Test: Build policy with multilpe type and attribute declarations, and |
| without. Policies are binary-identical. |
| |
| Signed-off-by: Dan Cashman <dcashman@android.com> |
| Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> |
| --- |
| secilc/secilc.c | 9 ++++++++- |
| 1 file changed, 8 insertions(+), 1 deletion(-) |
| |
| diff --git a/secilc/secilc.c b/secilc/secilc.c |
| index f2232e72..0be6975b 100644 |
| --- a/secilc/secilc.c |
| +++ b/secilc/secilc.c |
| @@ -63,6 +63,7 @@ static __attribute__((__noreturn__)) void usage(const char *prog) |
| printf(" statement if present in the policy\n"); |
| printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n"); |
| printf(" -P, --preserve-tunables treat tunables as booleans\n"); |
| + printf(" -m, --multiple-decls allow some statements to be re-declared\n"); |
| printf(" -N, --disable-neverallow do not check neverallow rules\n"); |
| printf(" -G, --expand-generated Expand and remove auto-generated attributes\n"); |
| printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n"); |
| @@ -89,6 +90,7 @@ int main(int argc, char *argv[]) |
| int target = SEPOL_TARGET_SELINUX; |
| int mls = -1; |
| int disable_dontaudit = 0; |
| + int multiple_decls = 0; |
| int disable_neverallow = 0; |
| int preserve_tunables = 0; |
| int handle_unknown = -1; |
| @@ -108,6 +110,7 @@ int main(int argc, char *argv[]) |
| {"policyversion", required_argument, 0, 'c'}, |
| {"handle-unknown", required_argument, 0, 'U'}, |
| {"disable-dontaudit", no_argument, 0, 'D'}, |
| + {"multiple-decls", no_argument, 0, 'm'}, |
| {"disable-neverallow", no_argument, 0, 'N'}, |
| {"preserve-tunables", no_argument, 0, 'P'}, |
| {"output", required_argument, 0, 'o'}, |
| @@ -119,7 +122,7 @@ int main(int argc, char *argv[]) |
| int i; |
| |
| while (1) { |
| - opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDNc:GX:", long_opts, &opt_index); |
| + opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNc:GX:", long_opts, &opt_index); |
| if (opt_char == -1) { |
| break; |
| } |
| @@ -175,6 +178,9 @@ int main(int argc, char *argv[]) |
| case 'D': |
| disable_dontaudit = 1; |
| break; |
| + case 'm': |
| + multiple_decls = 1; |
| + break; |
| case 'N': |
| disable_neverallow = 1; |
| break; |
| @@ -223,6 +229,7 @@ int main(int argc, char *argv[]) |
| |
| cil_db_init(&db); |
| cil_set_disable_dontaudit(db, disable_dontaudit); |
| + cil_set_multiple_decls(db, multiple_decls); |
| cil_set_disable_neverallow(db, disable_neverallow); |
| cil_set_preserve_tunables(db, preserve_tunables); |
| if (handle_unknown != -1) { |
| -- |
| 2.16.1.291.g4437f3f132-goog |
| |